EU/Surveillance
of telecommunications:
Data retention comes to roost - telephone and internet privacy
to be abolished- proposal broader in scope than 2002
version; grave gaps in civil liberties protection remain;
- data to be held for between 12 and 36 months, though member
states can opt for longer if they choose;
- data to be retained extended from "traffic data"
to traffic and "location data";
- scope extended from 32 specific offences to any crime;
- scope extended from specific investigations and prosecutions
to "prevention and detection" of crime;
- "This is a proposal so intrusive that Ashcroft, Ridge
and company can only dream about it, exceeding even the US Patriot
Act"

The governments of the UK, France, Ireland and Sweden have
proposed a draft EU Framework Decision that if adopted will see
all communications location and traffic data retained for between
1 and 3 years, or longer, should the member states choose. The
proposal was endorsed by the EU summit on 25 March 2004 as part
of a raft of proposals to combat terrorism in the wake of the
Madrid bombings. This proposal (like many others) is in no way
limited to terrorism, and will apply to the:

"prevention, investigation, detection and prosecution
of crime or criminal offences including terrorism"

The proposal brings home to roost long standing demands by
the law enforcement community for the compulsory retention, and
thus surveillance, of all telecommunications. It is notable that
these demands are coming not from the security and intelligence
services but from national criminal intelligence services. In
August 2002, Statewatch leaked a confidential draft of
this Framework Decision drawn-up by the Belgian government (see
background section, below).

The new version of the proposed Framework Decision is, in
privacy and civil liberties terms, worse than before. The original
Belgian proposal contained:

- no grounds for refusing to execute a request on human
rights grounds;
- no limits as to what data can be exchanged where member states
allow for the retention of data on all crimes;
- no reference to supervisory authorities on data protection;
- no reference to the individual's right to correct, delete,
block data nor compensation for misuse or for related judicial
review;
- no reference to controls on the copying of data;
- no rules for checking on the admissibility of data searches.

With the exception of the inclusion of a reference to "rules
on correction and judicial review" (which may prove meaningless
in practise - see analysis below), these shortfalls remain in
the UK/Ireland/France/Sweden proposal. Moreover, two important
safeguards, restricting access to data and limiting the use of
the provisions have been dropped. The new proposal is
also considerably broader:

- the time period for the storage of data is extended from
12-24 months to 12-36 months (though member states can opt for
longer if they choose);
- the data to be collected is extended from "traffic data"
to traffic and "location" data;
- scope extended from 32 specific offences to "any crime";
- scope extended from specific investigations and prosecutions
to "prevention and detection" of crime.

The new proposal does introduce two derogations for member
states, though these are quite limited. Detailed analysis of
the proposal follows below.

an improper invasion of the fundamental rights guaranteed
to individuals by Article 8 of the European Convention on Human
Rights, as further elaborated by the European Court of Human
Rights.

A legal opinion obtained by Privacy International agreed that:

The data retention regime envisaged by the (EU) Framework
Decision, and now appearing in various forms at the Member State
level, is unlawful.

And a coalition of civil society groups called on the European
Parliament to oppose data retention and:

promote and preserve the most fundamental values democratic
societies must defend: the right to privacy, freedom of expression,
and presumption of innocence.

It should also be pointed that the proposals will lead to
enormous costs for the telecoms and internet industry. Major
commercial associations have already expressed strong concerns
about plans for data retention. A coalition comprising the International
Chamber of Commerce (ICC), the Union of Industrial and Employers'
Confederation of Europe (UNICE), the European Information, Communications
and Consumer Electronics Technology Industry Association (EICTA)
and the International Telecommunications Users Group (INTUG),
said in a statement last year:

data retention is an intrusive measure that should not
be taken until less intrusive alternatives, such as a European
data preservation regime, have been tested and proven insufficient.

The proposed measures would affect not only consumer confidence
but also business competitiveness the coalition said, and the
costs of storage should not be borne by the industry, nor the
customer.

Background

The proposal brings home to roost long standing demands by
the law enforcement community for the compulsory retention of
all communications data. Their demands have already resulted
in an amendment of the 1997 EC Directive on privacy in telecommunications
which said that the only purpose for which traffic data could
be retained was for billing (ie: for the benefit of customers)
and then it had to be erased (law enforcement agencies could,
however, get access to the traffic data with a judicial order
for a specific person/group). Despite significant opposition
to the proposed amendments, the obligation to erase data was
finally deleted after an "unholy alliance" between
the two largest parties in the European Parliament (PPE, conservative
and PSE, Socialist groups) reversed the EP's pre 'September 11'
belief that the measure was entirely disproportionate. This allowed
member states to begin passing national laws on data retention;
a survey by Statewatch shows that nine of the 15 EU countries
have already done so (see background documentation, below).

In August 2002, Statewatch published a leaked draft Framework
Decision on mandatory data retention drawn-up by the Belgian
government. The then Danish presidency issued a statement saying
that the proposal "was not on the table". Nor was it
- it was "under the table" waiting for the right time
to be produced. Behind the scenes the UK joined the Belgian government
in endorsing the proposals, but because of public opposition
the two were not prepared to formally present the proposal to
the Council (member states).

No sooner had the dust settled from the Madrid bombings, than
the UK went public with plans to resurrect the Framework Decision;
it also figured in proposals from the Commission and the Council.
Again: the proposal is in no way limited to terrorism and concerns
"crime in general". Ireland and France joining the
UK in putting their names to the proposal comes as little surprise
- Ireland leads the member states in having introduced data retention
for at least three years ("Directions" were issued
by the Minister for Public Enterprise in April 2002 under the
Postal and Telecommunications Services Act 1983), while France
has mandatory data retention for up to one year (under Article
29 of the Law on Everyday Security of 15 November 2001). That
Belgium is no longer sponsoring the proposal maybe significant,
suggesting that they could endorse such intrusive measures (although
Belgium does have data retention for at least 12 months under
its Computer Crime Act 28 November 2000). Sweden's support is
curious, though it had previously indicated support for a binding
EU measure on data retention. The UK argues that data retention
is included in the Anti-Terrorism, Crime and Security Act 2001
but only in relation to purposes "directly or indirectly
connected with national security". The UK would thus use
EU legislation as a broader legal basis for data retention than
provided by ATSA.

Ben Hayes of Statewatch comments:

"If this proposal was a genuine anti-terrorism measure
it would be clearly restricted to terrorist offences. The fact
that it is so broad as to potentially cover any crime shows just
how cynically EU governments are exploiting the climate engendered
by 'September 11' and now 'March 11'.

This is a proposal so intrusive that that Ashcroft, Ridge
and company can only dream about it, exceeding even the US Patriot
Act.

What is needed is good intelligence on specific threats,
rather than mass surveillance of everyone, generating more data
than can usefully be analysed. The increase in convictions of
people exchanging child pornography has come without wide-ranging
data retention. This proposal is disproportionate, unnecessary
and has no place in a democracy."

Documents
and background material

1. Draft Framework Decision on the retention of data processed
and stored in connection with the provision of publicly available
electronic communications services or data on public communications
networks for the purpose of prevention, investigation, detection
and prosecution of crime and criminal offences including terrorism,
8958/04, 28 April 2004: full-text

1. The scope of the Framework Decision is very broad indeed.
It will put in place the compulsory retention of all communications
traffic and location data - land and mobile telephones, faxes,
e-mails, internet histories and any future communications technology
(see Article 2). It is highly doubtful whether a general reference
requiring the Framework Decision to apply automatically to all
'future technology' is precise enough to be compatible with human
rights law.

2. Communications data is to be retained for the "purpose
of prevention, investigation, detection and prosecution of crime
or criminal offences including terrorism". (the 2002 draft
limited the scope to specific investigations and prosecutions).
The idea of data retention for "crime prevention" as
distinct from investigation and prosecution is particularly disturbing,
at least outside the scope of very serious crimes such as terrorism.
This is also clearly unacceptable to the more democratic countries
in the EU and article 1(3) allows them to restrict the scope
of Framework Decision. However, this clause is badly written,
and appears to allow a member state to exclude application of
the Framework Decision to the "prevention" of crimes/criminal
offences, but must apply it to the "investigation, detection
and prosecution" of crimes/criminal offences. This means
individual member states cannot limit the Framework Decision
to terrorism only, or even to selected crimes only.

3. The key provisions are in Article 3, which places an obligation
on service providers to retain and make accessible this data
to law enforcement agencies, Article 4, which sets a time period
of 12-36 months (though the member states may exceed this) and
Article 5, under which the member states will share retained
data with one another.

4. Article 2(1) defines data to include not only "traffic
data" but "location data", which would certainly
apply to mobile phones users. "user" and "subscriber"
data is potentially unrestricted and inexplicably applies to
natural persons who may are not necessarily "users"
or "subscribers"! It appears that that this proviso
means they mean that if a "user" calls an individual,
they can keep data that individual, even if that individual is
not a "user".

5. Article 2(2) sets out a mandatory list of data types to
be retained but uses the non-exhaustive term "data shall
include". Falling short of "content", which is
prohibited under this Framework Decision by Article 1(2), is
this ambiguity to allow for the collection of data from a computer
or phone other than the content of the conversation? This is
clearly another unpalatable demand for some member states and
another opt-out is available for member states (see Article 4(2)).
However, the opt-out does not apply to "telephony"
and only appears to give the power to make the retention period
shorter; it is not clear whether retention could be refused altogether.
This begs further questions in regard to the "dual criminality"
principle, under which judicial cooperation between states can
only take place where both countries criminalise the activities
under investigation. Can a member state call upon another to
send the retained data in relation to actions it does not regard
as criminal (on protestors, for example)?

6. The ambiguous wording of article 2(2) means it is unclear
exactly what the proposal covers, for instance, information on
which websites people have visited? This would appear to be tantamount
to the transmission of "content" in the case of web
surfing.

7. Article 2(3) covers the retention of data generated by
specific communications "infrastructures, architectures
and protocols". Art. 2(3)(a) applies the Framework Decision
to "Telephony excluding Short Message Services [SMS/"text
messages" from mobile phones], Electronic Media Services
and Multi Media Messaging Services". Article 2(3)(b) then
goes on to include SMS/text messages and multi-media communications
within the scope of the Framework Decision, while 2(3)(b) adds
e-mails, voice over IP (internet telephony), broadband etc. The
inherent contradiction between (a) and (b) is only explained
by a further opt-out for the member states to exclude the data
in (b) and (c) from the scope of the Framework Decision (see
Article 4(2)). Member states who do choose to derogate from these
provisions and limit retention must inform the other member states
in writing.

8. Under Article 4 data "shall be retained for a period
of at least 12 months and not more than 36 months following its
generation". However, Member States "may have longer
periods" if they believe it "constitutes a necessary,
appropriate and proportionate measure within a democratic society",
giving them carte blanche to go beyond 36 months. The complex
procedural mechanisms for member states who wish to limit
the retention period to not apply to those who wish to extend
it.

9. There are grave gaps in civil liberties protection even
compared to Schengen, the Cyber-crime convention or other recent
EU measures like the arrest warrant. The gaps are:

a). there is no ground for possible refusal to execute a request
from another Member State on human rights grounds (unlike in
the arrest warrant, proposals on confiscation and freezing, Article
15 of the Cyber-crime convention etc.). The only possibility
is for the requested state to impose "conditions" on
access to the data that reflect national procedures (Article
3).

b). two important safeguards in the data protection provisions
in the 2002 version have been dropped. Access to retained traffic
data was originally to be "given only to judicial authorities
or, in the extent that they have autonomous power in criminal
investigation prosecution, to police authorities" and "not
authorised when other measures are possible which are less intrusive
in terms of privacy and leading to similar results regarding
criminal investigation and prosecution". These restrictions
have been replaced with more ambiguous references to "competent
authorities" and "case-by-case basis" (Article
6(a)).

c). there is no reference to the involvement of supervisory
authorities on data protection (as in the SIS rules).

d). Article 6 states that the member states must have rules
on "judicial remedies" but makes no direct reference
to an individual right to access, deletion, correction or blocking
of data, or compensation where it used unlawfully. Unless individuals
have subject access or at the very least the supervisory authorities
have the power to check what is going on, then how on earth can
this be enforced? How will anyone be able to bring judicial review
proceedings to start with?

e). the Framework Decision must be applied "in accordance
with national law". However, there must surely be a risk
that the whole process of providing for this massive data retention
obligation will surely encourage member states to relax the rules
which currently apply to national access to this data - the law
enforcement lobby will doubtless say it is "odd" that
all this information is being kept just for the benefit of other
member states.

f). there are no specific rules on controls on the collection
or the copying of the data (as in the SIS rules) except for a
reference to "accordance with national law".

g). there are no rules on checking on the admissibility of
searches (as in the SIS rules).

&COPY; Statewatch ISSN 1756-851X.Material may be used
providing the source is acknowledged.Statewatch
does not have a corporate view, nor does it seek to create one,
the views expressed are those of the author. Statewatch is not
responsible for the content of external websites and inclusion
of a link does not constitute an endorsement.